IT Security News Blast 3-1-2017

OCR Calls for Healthcare Cybersecurity Collaboration

The government, private sector, and international network defense communities all need to work toward stronger collaboration and information sharing to combat the increasing amount of healthcare cybersecurity threats, the Office for Civil Rights (OCR) stated in its February Cyber Awareness Newsletter. Healthcare is part of the national infrastructure, and is becoming a more common target for cyber attacks, OCR explained. […] Toward the end of 2016, US-CERT announced its new cybersecurity incident notification guidelines, which will go into effect on April 1, 2017.

Governors Discuss Better Coordination, Establishing Protocols to Improve Cybersecurity

Virginia Gov. Terry McAuliffe, who also chairs the NGA cybersecurity committee, facilitated the roughly hour-long panel conversation, saying that states are increasingly handling more data than federal agencies and that the need for improved coordination has never been greater. […] Of the areas states need to improve on, McAuliffe pointed to the need to bolster critical infrastructure protections and vulnerability assessments; ensure timely, consistent and useful briefings; National Institute of Standards and Technology alignment; and for state leaders to look long-term when it comes to goals and response plans.

Feds have an abysmal track record when it comes to cybersecurity

This could be seen most obviously in the hack of the Office of Personnel Management that compromised 21.5 million government records and in the 2015 hack of the Internal Revenue Service, which exposed the information of at least 724,000 taxpayers to bad actors. In fact, there are a few dozen smaller cyber-attacks on the federal government each year, most of which go unnoticed by the public. These cases where the government failed to defend both itself and citizens who trusted their data would be secure continue to proliferate, even though the government spends roughly $75 billion on IT each year, much of it specifically dedicated to cybersecurity improvements.

Here’s a new way to prevent cyberattacks on home devices

Homeowners worried about cybersecurity attacks on IP-connected devices like lights, baby monitors, home security systems and cameras, will soon be able to take advantage of a $200 network monitoring device called Dojo. […] The Dojo hardware connects with a cable to a home’s Wi-Fi router to intercept IP packets and block real-time cyberattacks. It uses artificial intelligence to customize a security policy for each device on the network, the company said.

Opinion: The tech behind Bitcoin could reinvent cybersecurity

Though Bitcoin gets most of the press, the technology undergirding it – blockchains – has the potential to transform business, and maybe even revolutionize cybersecurity. […] The cybersecurity firm Guardtime uses blockchain technology to secure Britain’s power grid, including its nuclear power plants and flood defenses. Guardtime uses blockchain technology known as Keyless Signature Infrastructure (KSI) to detect “unauthorized changes in software configurations [by] … providing a complete chain of the history of the data that is generated and transmitted.”

Amazon cloud sputters for hours, and a boatload of websites go offline

The “Internet of Sh*t” Twitter account has been retweeting people who say Internet-connected devices such as an oven, remote light controllers (including one powered by IFTTT), and a front gate have been affected. We’d put these reports in the “unconfirmed” category, but problems with these sorts of devices wouldn’t be surprising since so many services rely on Amazon.

Cybersecurity: Top Reads Right Now

For your reference, here’s a recap of popular cybersecurity advisories published on JD Supra during February. You’ll find an excellent collection of in-depth publications covering all aspects of cyber matters of import in the new year (from Bryan Cave, Skadden Foley Hoag, Bennett Jones, et al) as well as updates on specific timely issues, including a look at new state laws, the Yahoo! breach, and grid concerns in the energy sector.

Cybersecurity Self-Defense: How to Make Your Smartphone More Secure

  1. Strengthen Your Password Settings
  2. Encrypt It!
  3. Find Your Phone’s Unique Numbers
  4. Consider Disabling Cloud Backups
  5. Limit Location Tracking
  6. Change Your Phone’s Name
  7. Minimize Browser Leakage

Choose Your Apps, and Manage Their Permissions, Wisely

How To Start A Lucrative Career In Cybersecurity

  1. Don’t specialize just in security
  2. Sometimes it’s who you know–so network
  3. Not in tech yet? Start by studying up on IT basics
  4. Legitimize your skills by earning certifications
  5. Show initiative in your own time
  6. Hone your data analysis skills

Data Stolen From Singapore Military In ‘Carefully Planned’ Cyber Attack

“The attack on I-net appeared to be targeted and carefully planned,” it said in a statement. “The real purpose may have been to gain access to official secrets, but this was prevented by the physical separation of I-net from our internal systems.” […] “The attack did not come from camps or internal systems,” he said. “Neither was it the work of casual hackers or criminal gangs.”

Luxembourg state servers attacked

The state’s internet infrastructure has been the target of a malicious attack that began on Monday morning. From around 9:30 am Monday, the web servers of many state authorities and offices were down or difficult to reach. At 10.50 am, the state-owned IT operator “Centre des Techniques de l’information de l’Etat” (CTIE) sent a message via Twitter saying the state network was the victim of a so-called “distributed denial of service attack” (DDoS).

Analysis: Election hackers used many of the same techniques as Carbanak gang

TruSTAR, the threat intelligence exchange provider that conducted the research, has cautioned that its findings do not necessarily mean that APT 28 (Fancy Bear) or APT 29 (Cozy Bear), the two Russian government-sponsored threat groups tied to Grizzly Steppe, are one and the same as Carbanak, which is also tied to Russia and has garnered a reputation for stealing from financial institutions. Still, one also cannot summarily dismiss the notion that the groups are somehow related or share certain personnel, especially because they have adopted similar tactics, techniques and procedures (TTPs).

Crossed Swords 2017 Takes Cyber War Games to Next Level

“The scenario was based on a military cyber-operation,” explained Aare Reintam, exercise director at the NATO CCD COE. “Penetration testers, digital battlefield professionals and members of Special Forces were tasked with regaining control over a specific military system. This one-of-the kind cyber-kinetic engagement meant that Special Forces were used to retrieve physical evidence, including electronic equipment and data storage devices, as they would in a realistic mission in cooperation with battlefield digital forensics professionals.”

Cyber Insurance Industry Needs a Lot of Work, Deloitte Report Finds

Explaining how a cyber insurance policy works has proven to be quite difficult. Customers can choose from stand-alone policies all they like, yet not all of them include cyber protection as most companies would like. Defining the boundaries of these new offerings needs a lot of work, as businesses will not spend money on something they may not entirely understand, let alone know they need.

ABA to offer cyber liability insurance

The cyber insurance, underwritten by Chubb Limited, covers law firm expenses associated with hacking, including the costs of network extortion, income loss and forensics, according to an ABA press release. Liability protection and defense costs are also covered. ABA Insurance is available only to ABA members and their families through USI Affinity.

Our TV Viewing Habits Can Be Monitored for the Benefit of Marketers

TVision is a start-up company that devises monitoring campaigns to inform marketers about the viewing habits of people. […] NewYork time reports that last year, TVision hired a 48-year-old Chicago resident Ms. Ellen Milz for this purpose. For the campaign, she had to connect and install a device on top of her television set and let it inspect her and her family’s viewing habits over the course of few months. The device in question was a Microsoft Kinect device that is used for playing Xbox video games. […] The sensors of this device can track the movement of the eyes of those sitting in front of the TV and record minute shifts for the people present in the room.

Hand in hand: Privacy and transparency

Under the new rules, companies could consider two different options when reporting on government requests – one that allows for more generalized aggregate reporting in bands of 250, or another that allows for a greater breakdown of reporting in bands of a thousand. […] “While there remain some constraints on what we can publish, we are now able to present a comprehensive picture of the types of requests that we receive from the U.S. government pursuant to national security authorities,” Brad Smith, general counsel and executive vice president with Microsoft, posted at the time.

After 3 Years, Why Gmail’s End-to-End Encryption Is Still Vapor

Last Friday, Google quietly announced that E2EMail, an extension for Chrome that would seamlessly encrypt and decrypt Gmail messages, was no longer a Google effort. Instead, the company has invited the outside developer community to adopt the project’s open-source code. Google was careful to emphasize in a blog post describing the change that it hasn’t given up work on its email encryption tool. But cryptographers and members of the privacy community see the move as confirmation that Google has officially backburnered a critical privacy and security initiative.

Two million recordings of families imperiled by cloud-connected toys’ crappy MongoDB

Essentially, the $40 cuddly CloudPets feature builtin microphones and speakers, and connect to the internet via an iOS or Android app on a nearby smartphone or tablet. […] CloudPets’ internet-facing MongoDB installation, on port 2701 at, required no authentication to access, and was repeatedly extorted by miscreants, evidence shows. The database contains links to .WAV files of voice messages hosted in the Amazon cloud, again accessible with no authentication, potentially allowing the mass slurping of more than two million highly personal conversations between families and their little ones.

Researchers find “severe” flaw in WordPress plugin with 1 million installs

More than 1 million websites running the WordPress content management system may be vulnerable to hacks that allow visitors to snatch password data and secret keys out of databases, at least under certain conditions. […] Sucuri has assigned a severity rating of 9 out of a possible 10 points to the vulnerability, which was fixed in version 2.1.79 of the plugin. The update changelog makes no reference to the vulnerability, so it’s not clear how widely known the threat is.

Germany, France lobby hard for terror-busting encryption backdoors – Europe seems to agree

These proposed measures include allowing the greater sharing of people’s personal information between nations’ police forces to fight crime; more reliance on biometrics; and – as is depressingly predictable these days – demands for technology companies to come up with impossible encryption systems that are secure, strong, and yet easily crackable by law enforcement on demand. That would allow investigators to decrypt suspects’ intercepted messages and seized documents without needing the person’s passphrase or private keys.